Fifth Domain

Iran looking to enhance cyber capabilities

While China and Russia have built up a robust profile in cyberspace, many are warning against Iran's growing capabilities and behavior.

Iran is one of the five evolving strategic challenges facing the U.S., along with Russia and China, North Korea and terrorism, according to Defense Secretary Ash Carter. Iran's malicious activity in the physical world -- such as its pursuit for nuclear weapons, its testing of ballistic missiles and its support for proxies in the Middle East that have claimed the lives of American service members -- has long made the Islamic Republic a threat. Iran has also been bolstering its cyber capabilities and activity to serve its interests.

In a July report published by the Washington Institute for Near East Policy titled "Iran's Lengthening Cyber Shadow," the report's author and fellow at the Washington Institute, Michael Eisenstadt, offers three points that explain Iran's growing interest in cyber. It fits well with Iran's strategic culture given cyberspace's inherent ambiguity and standoff; the lack of international cyber norms provides Iran with a "margin for maneuver" in cyberspace; and given the lack of norms, Iran hopes to shape the international framework so its cyberspying and offensive cyber operations become tolerated, similar to its support for proxies considered by many to be terrorist organizations.

"Iran believes that domestic and foreign threats form a seamless web, and that the domestic opposition is inspired by foreign cultural influences and enabled by foreign powers that seek to bring down the Islamic Republic," Eisenstadt explained. "It likewise believes that Western popular culture has a morally corrosive impact on Iranian youth, and that U.S. soft warfare aims to alienate Iran's youth from the ideology of the revolution, undermine popular support for the regime, and sap the social cohesion of the Islamic Republic. It sees both as existential threats to the Islamic Republic."

For Iran, cyber also represents that existential threat -- and provides an exceptional opportunity.

"This is why Tehran is investing so much effort in developing its cyber capabilities: to deter both cyber and traditional military challenges, to wage its own version of soft warfare while its proxy and conventional military forces are kept in reserve, and to be able to strike its enemies globally, instantaneously, and on a sustained basis—something it cannot do in the physical domain," he noted.

According to the Soufan Group, a security consultancy firm, the joint U.S.-Israeli cyberattack on Iran's nuclear infrastructure by way of the Stuxnet virus added to the "Iranian government's sense of urgency for developing its cyber capabilities." Additionally, "[t]he extensive use of social media by participants in the 2009 'Green Movement' uprising in Iran convinced the regime it needed additional capabilities to control and monitor the public's use of the Internet," the Soufan Group concluded, noting "Iran's security apparatus has developed advanced cyber capabilities that can be adapted to different missions."

From a U.S. threat perspective however, Iran, while thought to be on the rise in terms of capability, is still considered to be a lower-tiered threat compared to Russia and China.

"The states that we watch most closely in cyberspace remain Russia, China, Iran and North Korea. Russia and China are both very capable cyber operators, while Iran and North Korea represent lesser, but still significant, challenges to U.S. interests," read the joint statement of several top Defense Department cyber officials for a June House Armed Services Committee hearing.

The chief of Cyber Command has also provided a similar assessment.

"Iran and North Korea represent lesser but still serious challenges to U.S. interests. Although both states have been more restrained in this last year in terms of cyber activity directed against us, they remain quite active and are steadily improving their capabilities, which often hide in the overall worldwide noise of cybercrime," Adm. Michael Rogers wrote in prepared testimony for an April hearing before the Senate Armed Services Committee. "Both of these nations have encouraged malicious cyber activity against the United States and their neighbors, but they currently devote the bulk of their resources and effort to working against their neighbors."

While Central Command declined to offer any information regarding Iran's cyber activity both within the region and toward U.S. assets, citing operational security, its commander Gen. Joseph Votel said Iran's behavior has not changed since the landmark agreement signed by Iran and six world powers, including the U.S., to curb its nuclear program.

"I don't think that it has changed their behavior," he said at the Aspen Security Forum in July. "We still see them supporting organizations like Lebanese Hezbollah, we still see them supporting the Assad regime, we still see them with their linkages into places like Bahrain, we still see them backing the Houthi network, we still see aspects of their cyber ambitions -- so I personally have not seen a change in behavior."

A global threat report outlining cybersecurity threats put out by the cybersecurity firm CrowdStrike noted that just prior to the inking of the nuclear deal, Iran's Supreme Leader Ayatollah Ali Khamenei provided an outline for Iran's Five Year Plan with several points focused on improving its infrastructure and cyber capabilities. The first priority, the report said, is aimed at "gain[ing] 'superior status in the region' with the development of the National Information Network (National Internet)."

Eisenstadt wrote that Iran has ramped up its cyberspying operations against U.S. officials, journalists and academics involved in Iran policy following the nuclear deal. "Iran's cyber warriors appear to have more or less returned to their pre-negotiations operational tempo," he wrote.

Iran's cyber capabilities, Eisenstadt assessed, could be a fourth leg of Iran's deterrent and warfighting triad that includes disrupting maritime traffic through the Strait of Hormuz, unilateral and proxy terrorist attacks across the world and long-range missile and rocket strikes against targets in the region. Furthermore, Iran is believed to be aiding and building up Hezbollah's cyber capabilities "to employ the group as a cyberspace proxy, just as it has often used it as a terrorist and irregular warfare proxy," Eisenstadt wrote.

Iran's Islamic Revolutionary Guard Corps' "external cyber operations started slowly, focusing initially on cyber-espionage against a wide range of regional and Western targets. Encouraged by the ease of penetrating adversary networks and the deniability of its intrusions, the IRGC began conducting actual attacks as a tool of its regional strategy," according to the Soufan Group. "For Iran, the cyberattacks were meant to send a message to its regional adversaries that they had underestimated Iranian technological prowess. Iran hoped to demonstrate that Saudi Arabia, Israel, and Western powers were vulnerable, and that Iran could expand its arsenal beyond conventional warfare or warfare by proxy."

Iran's successes in cyberspace include the intrusion into the systems of Saudi Aramco in 2012, a 2014 attack on billionaire Sheldon Adelson's Las Vegas casino headquarters in retaliation for Adelson calling for a nuclear strike on Iran, and a series of distributed denial of service attacks against the U.S. stock exchange in 2012. Recently, it was discovered that Iranians gained access to a small dam in New York as well.

One of the deterrent measures taken by the U.S. has been indictments against those that have hacked into U.S. systems. In March, several Iranians believed to be responsible for the stock exchange and dam intrusion were indicted for their actions. However, given that Iran has not obeyed international norms, some are skeptical of the deterrent force indictments or potential cyber norms will have in curbing Iran's behavior in cyberspace.

"[T]here is little reason to believe that Iran would adhere to the kinds of cyber norms and confidence-building measures recently recommended by a group of governmental experts convened by the United Nations," Eisenstadt wrote, citing that Iran has "joined every major arms-control regime, including the Chemical Weapons Convention and the Nuclear Nonproliferation Treaty...yet it is not clear that Iran is in compliance with its CWC obligations, and it has a long record of engaging in undeclared activities in violation of its International Atomic Energy Agency and NPT obligations."

Eisenstadt offered a series of steps the U.S. can take to bolster cyber deterrence in cyberspace. They include, among others, responding asymmetrically and holding vital Iranian assets at risk if conflict breaks out as to make the U.S. more unpredictable; relying on threats to wage "soft warfare" in addition to cyber and military means to play on Iran's "deepest fears;" and "repair[ing] its credibility gap in the physical domain" with the hopes of fostering spillover effect in the cyber and virtual space.